doc: add meeting minutes 2023-11-23 (#1160)

* doc: add meeting minutes 2023-11-23 * Update meetings/2023-11-23.md Co-authored-by: Marco Ippolito <[email protected]> * Update meetings/2023-11-23.md Co-authored-by: Marco Ippolito <[email protected]> --------- Co-authored-by: Marco Ippolito <[email protected]>
nodejs · Nov 24, 2023 · 19033ae · 19033ae
1 parent 3a2864a
commit 19033ae
Showing 1 changed file with 67 additions and 0 deletions.
diff --git a/meetings/2023-11-23.md b/meetings/2023-11-23.md
@@ -0,0 +1,67 @@
+# Node.js  Security Team Meeting 2023-11-23
+
+## Links
+
+* **Recording**: https://www.youtube.com/watch?v=ZKKyUVbPY24&ab_channel=node.js
+* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1154
+* **Minutes Google Doc**: https://docs.google.com/document/d/11l2KWrMIzywSj_seO_4Xl24_Wq_hTs0Rz1AKPjPiFJg/edit
+
+## Present
+
+* Rafael Gonzaga: @RafaelGSS
+* Marco Ippolito: @marco-ippolito
+* Ulises Gascon: @ulisesGascon
+* Michael Dawson: @mhdawson
+* Thomas GENTILHOMME: @fraxken
+* Amir Montazery - @Amir-Montazery (https://github.com/ostif-org/OSTIF)
+* Prabhu Subramanian - @prabhu (author of cdxgen tool)
+
+## Agenda
+
+## Announcements
+
+*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+- [X] OpenSSF Scorecard Monitor Review
+  - PR: https://github.com/nodejs/security-wg/pull/1158
+  - resume: https://github.com/nodejs/security-wg/issues/1157
+
+### nodejs/security-wg
+
+* NodeJS Code integrity on Windows [#1149](https://github.com/nodejs/security-wg/issues/1149)
+  * Skipped to the next meeting
+
+* Amir from ostif.org - Discuss possibility of consulting engagement with security expert in November/December at 2023-11-09 3pm Security-WG meeting  [#1145](https://github.com/nodejs/security-wg/issues/1145)
+  * Discussing fuzzing for Node.js and its dependencies such as llhttp.
+  * David will be a point of contact for fuzzing on Node.js in December
+  * Nodejs: https://github.com/google/oss-fuzz/tree/master/projects/nodejs
+  * llhttp: https://github.com/google/oss-fuzz/tree/master/projects/llhttp
+  * Amir will take action to create an issue for fuzzing on Node.js, so David can share his updates and make it an official initiative of the security team.
+    * (Fuzzing has been discussed in the past: https://github.com/nodejs/security-wg/issues/435)
+
+* Have a SBOM for Node.js? [#1115](https://github.com/nodejs/security-wg/issues/1115)
+  * Prabhu did a presentation on how we could generate the SBOMs in the CI
+  * Lifecycle of SBOMs
+  * Marco will get access to a machine for developing these materials locally as an experiement
+
+* License checker process/script [#1104](https://github.com/nodejs/security-wg/issues/1104)
+  * Skipped due to time
+
+* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
+    * Skipped due to time
+
+* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953)
+    * Skipped due to time
+
+* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898)
+  * RafaelGSS and Ceres6 wrote the following PR https://github.com/nodejs/node/pull/50758
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.
+